On 2012-06-22 03:44, Mark Nottingham wrote:
> As per <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/271>, I'm reviewing our use of SHOULD in the documents; here I also pick on a few MAYs. Where I find issues, I've flagged with EDITORIAL or DESIGN as seems appropriate (I won't open issues for the design ones until we discuss; the editorial ones are considered attached to #271).
>
> 2.1
>
> "Requests for protected resources that omit credentials, contain invalid credentials (e.g., a bad password), or partial credentials (e.g., when the authentication scheme requires more than one round trip) SHOULD return a 401 (Unauthorized) response."
>
> EDITORIAL - make the subject of the requirement more obvious, e.g., "Upon a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password), or partial credentials (e.g., when the authentication scheme requires more than one round trip), an origin server SHOULD return a 401 (Unauthorized) response.
OK.
> "Likewise, requests that require authentication by proxies that omit credentials, or contain invalid or partial credentials should return a 407 (Proxy Authentication Required) response."
>
> EDITORIAL - same as above.
Please confirm:
Likewise, upon a request that requires authentication by proxies that
omit credentials, or contain invalid or partial credentials, a proxy
SHOULD return a 407 (Proxy Authentication Required) response. Such
responses MUST include a Proxy-Authenticate header field containing a
(possibly new) challenge applicable to the proxy.
> 3.1
>
> "If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the representation that was given in the response, since that representation might include relevant diagnostic information."
>
> OK
>
> 4.1
>
> "If a request is authenticated and a realm specified, the same credentials SHOULD be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, such as credentials that vary according to a challenge value or using synchronized clocks)."
>
> Not entirely happy here (the subject of the requirement isn't clear), but don't have much to suggest.
>
> 4.2
>
> "Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and SHOULD NOT be passed on to downstream clients."
>
> EDITORIAL - change to "...current connection, and intermediaries SHOULD NOT forward it to downstream clients."
OK.
Proposed patch:
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/271/271-p7.diff>
Best regards, Julian